suricata
decode-erspan.c
Go to the documentation of this file.
1 /* Copyright (C) 2015 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * Decodes ERSPAN
31  */
32 
33 #include "suricata-common.h"
34 #include "suricata.h"
35 #include "decode.h"
36 #include "decode-events.h"
37 #include "decode-erspan.h"
38 
39 #include "util-unittest.h"
40 #include "util-debug.h"
41 
42 /**
43  * \brief Function to decode ERSPAN packets
44  */
45 
46 int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
47 {
48  StatsIncr(tv, dtv->counter_erspan);
49 
50  if (len < sizeof(ErspanHdr)) {
51  ENGINE_SET_EVENT(p,ERSPAN_HEADER_TOO_SMALL);
52  return TM_ECODE_FAILED;
53  }
54 
55  const ErspanHdr *ehdr = (const ErspanHdr *)pkt;
56  uint16_t version = SCNtohs(ehdr->ver_vlan) >> 12;
57  uint16_t vlan_id = SCNtohs(ehdr->ver_vlan) & 0x0fff;
58 
59  SCLogDebug("ERSPAN: version %u vlan %u", version, vlan_id);
60 
61  /* only v1 is tested at this time */
62  if (version != 1) {
63  ENGINE_SET_EVENT(p,ERSPAN_UNSUPPORTED_VERSION);
64  return TM_ECODE_FAILED;
65  }
66 
67  if (vlan_id > 0) {
68  if (p->vlan_idx >= 2) {
69  ENGINE_SET_EVENT(p,ERSPAN_TOO_MANY_VLAN_LAYERS);
70  return TM_ECODE_FAILED;
71  }
72  p->vlan_id[p->vlan_idx] = vlan_id;
73  p->vlan_idx++;
74  }
75 
76  return DecodeEthernet(tv, dtv, p, pkt + sizeof(ErspanHdr), len - sizeof(ErspanHdr), pq);
77 }
78 
79 /**
80  * @}
81  */
ENGINE_SET_EVENT
#define ENGINE_SET_EVENT(p, e)
Definition: decode.h:989
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
PacketQueue_
Definition: decode.h:620
Packet_::vlan_id
uint16_t vlan_id[2]
Definition: decode.h:435
DecodeThreadVars_::counter_erspan
uint16_t counter_erspan
Definition: decode.h:668
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-ethernet.c:41
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:632
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:163
Packet_
Definition: decode.h:407
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:436
version
uint8_t version
Definition: decode-gre.h:405
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:377
len
uint8_t len
Definition: app-layer-dnp3.h:2649
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DecodeERSPAN
int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Function to decode ERSPAN packets.
Definition: decode-erspan.c:46